In the absence of an international treaty defining what cyber sovereignty consists of, it is hard to figure out the boundaries, much less police them effectively.

The geopolitics of cyber power suggests that centrally directed government espionage is…tolerated by U.S. officials.

…and…

There is no fear among U.S. officials that China would ever mount a crippling cyber attack against U.S. infrastructure, even though they have mapped our electrical grid and probably left behind some malware that could be triggerable at a later date. (For what it’s worth, the U.S. has also mapped China’s electrical grid.)

The entire post is remarkable, but these three sentences point to the international norms that have developed organically around the use of cyberspace to project power. Ambinder’s post is yet more confirmation that every day, no matter what governments or companies deny, information networks are subject to “attacks” – read unauthorized penetration and potential tampering – at a volume which is only hinted at, but is presumed to be stunning, and likely originates with governments as well as criminals. This happens largely out of sight, except for those directly involved – and it’s difficult to resist parallels with military activities in Afghanistan and elsewhere. We have come to accept, as a new norm, the unauthorized reconnaissance of networks that (presumably, but not always) exist within national boundaries – much as the international community already accepts, with a few glaring exceptions, that states will attempt to maintain surveillance of other states’ activities, without authorization.

The analogy doesn’t hold, though. Surveillance conducted in the physical world still presumes that sovereignty remains respected – and there are still several steps of tension between surveillance that a state perceives as “crossing the line” and outright conflict. If reconnaissance in an information network is accompanied by tampering – see Ambinder’s reference to malware that “could be triggerable,” above – the distance between reconnaissance and conflict is much, much shorter. If you accept the feasibility of the “Digital Pearl Harbor” threat (and I don’t), wouldn’t the placement of “triggerable malware” be the equivalent of finding, say, explosives rigged for remote detonation outside key infrastructure? Should there be a pattern of norms in cyberspace that is fundamentally different for that governing states’ behavior in the physical world?

Ambinder’s post hints that the pattern is actually closer to a MAD relationship (see the third quote above, emphasis on the for what it’s worth part), as existed between the U.S. and Soviet nuclear arsenals – with the implicit assumption being that this represents a sort of stability. I’m not sure that holds. What made MAD work was transparency – the impossibility of the surprise “first-strike” that negated the “mutual” part of MAD. That transparency is completely lacking when it comes to the use of power in cyberspace. There is near-zero attribution (officially, anyway) of activities, of tracing cyberwar back to identifiable cyberwarriors. There is a level of secrecy afforded to the cyber-environment that I’d wager tempts states to take more risks, producing greater instability over time.

Back to Google and China. Where this represents a landmark – or where it doesn’t – is in the transparency Google brought to the situation that developed. Fundamentally, Google’s decision challenges the international norm that has allowed activities like China’s to continue and proliferate across global networks. The proposition that Google’s decision implies is that if international actors are to interact on the global internet, a set of acceptable behaviors to govern their interactions must be defined through practice. Google’s decision in effect implies that current practice is unacceptable.

And it may be the case that only a non-state actor like Google, one not vested in questions of international power, could do this. Whether this challenge gains momentum – or whether we give up on the idea of a global internet altogether – remains to be seen.

One Response

[…] power, among other things. But doesn’t the current Google-China dispute show that that the question of norms actually isn’t being actively pursued by governments, but by non-governmental actors? […]